Suricata 7.0.0 released

We are excited to share the much-anticipated release of Suricata 7!

This has been a longer release cycle than usual for Suricata. We’ve come a long way. Among other reasons, we’d like to acknowledge the impact the pandemic has had on all of us.

Prior to this major release, we shared two release candidates so you, our community, could report your findings with us. Now, it’s time to share the result of all that joint effort with you all.

Our last major version came out in October 2020, and since then, we have been working hard to bring new, promising features to this version, alongside performance improvements and support for more protocols and rule keywords. We have highlighted some of those below.

Main features:

  • DPDK IDS/IPS support for primary mode was added
  • AF_XDP IDS support by Richard McConnell at Rapid7
  • HTTP/HTTP2 new keywords for header inspection
  • TLS: client certificate logging and detection
  • Bittorrent parser by Aaron Bungay
  • IPS: new default DROP behavior for exception policies
  • EVE documented and validated with a json schema
  • HTTP/2 support is no longer considered experimental
  • Conditional PCAP by Eric Leblond and Scott Jordan
  • Initial libsuricata support
  • VLAN support extended from 2 to 3 layers

Performance improvements:

  • MPM split per app protocol
  • New lighter rule profiling mode by Eric Leblond
  • SMB: many fixes and optimizations
  • Hash calculation using Rust crypto instead of NSS
  • Flow manager tuning
  • Many more performance-related counters
  • Stream buffer, which is used by stream engine, file tracking, and more, is more memory efficient

Secure Deployment / Security

  • Linux Landlock support added by Eric Leblond
  • Use of setrlimit to prevent Suricata from creating another process
  • Lock cargo crates
  • Default to secure settings for Datasets and Lua
  • Maximum number of transactions for several protocols
  • New Security Policies:


  • QUICv1, GQUIC support added. GQUIC contributed by Emmanuel Thompson
  • PostgreSQL support added
  • HTTP/2 deflate decompression, byte-ranges support
  • VN-Tag support
  • Modbus rewritten to Rust with Eve logging added by Simon Dugas
  • IKEv1 support added by Sascha Steinbiss and Frank Honza
  • ESP flow tracking and logging
  • Minimal telnet parser
  • Active flow and TCP counters
  • Network service header
  • Remove dependency on system’s /etc/protocols


  • Added new rule keywords for DHCP, Kerberos, SNMP, TLS, QUIC
  • JA3(s) support for QUIC
  • New (experimental) class of keywords through “frames API”: NFS, SMB, DNS, telnet, SSL/TLS
  • HTTP request files and NFS now support
  • “XOR” transform was added
  • Lua: access to more rule info
  • The byte_test, byte_math, and byte_jump keywords allow a variable name for the byte count value.
  • flow.age keyword was added


  • Exception Policies added to better control packet handling in such conditions as memory caps being hit
  • DPDK support

Socket Control

  • Get flow stats over Unix socket
  • Datasets management commands were added


  • Conditional packet capture allows packets to be written to disk only after an alert has been triggered
  • New “stream” eve output type for debugging the stream engine
  • Log engine verdict on rejected/dropped/passed packets

Dev corner

  • Total: 1375 files changed, 130027 insertions(+), 127626 deletions(-)
  • Rust: 173 files changed, 39279 insertions(+), 13830 deletions(-)
  • C: 978 files changed, 73882 insertions(+), 109446 deletions(-)
  • Docs: 142 files changed, 6636 insertions(+), 1890 deletions(-)
  • Much stricter C compiler flags.
  • Clang’s scan-build clean, which is enforced in CI.
  • CI was expanded.
  • Rust parsers upgraded to using Nom 7

Upgrade notes:

  • Suricata 7.0 now uses pcre2 instead of pcre1.
  • The MSRV (minimum supported Rust version) has been updated to 1.63.0 from 1.41.1 minimum in Suricata 6.0.
  • Support for Prelude (libprelude) has been removed
  • Suricata 7.0 requires and bundles libhtp 0.5.45

Read more: Upgrading from 6 to 7

Special Thanks

Oss-Fuzz, Coverity, Outreachy.

Outreachy interns: Tharushi Jayasekara, Sam Muhammed, Modupe Falodun, Haleema Khan

Community: Aaron Bungay, Alex, Alice Akaki, Andreas Dolp, Andreas Herz, Andrei Shchapaniak, Angelo Mirabella, Antti Tönkyrä, Arne Welzel, BACK Yonah, Bazzan Don, Benjamin Wilkins, Carl Smith, Catena cyber, Cole Dishington, Daisuke Fujimura (fd0), Daniel Young, David Beckett, David Korczynski, Eloy Pérez González, Emmanuel Thompson, Eric Leblond, Frank Honza, Gabriel Lima Luz, Gianni Tedesco, Gleb Smirnoff, Ilya Bakhtin, JacobRoed, Janani Ramjee, Jascha Sticher, Jason Taylor, Jeremy MountainJohnson, Joe Atzberger, John Dewey, Josh Soref, Joshua Lumb, Justin Azoff, Justin Ossevoort, Kevin Reed, Kevin Wang, Kirby Kuehl, Kristina Jefferson, Lancer Cheng, Long Doan, Luke Coughlan, Mats Klepsland, Maxim Korotkov, Michael Smith, Michael Tremer, Morris Chan, Odin Jenseg, Pierre Chifflier, Rafael Girão, Richard McConnell, Riju, Sascha Steinbiss, Scott Jordan, Simeon Miteff, Simon Dugas, Steven Ottenhoff, Sumera Priyadarsini, Thomas Norheim, Thomas Winter, Todd Mortimer, Travis Green, Vladimir Ivchenko, Wes Hurd, William Correia, William Harding, liaozhiyuan, myr463, showipintbri, tianjinshan.

About Suricata

Suricata is a high-performance Network Threat Detection, IDS, IPS, and Network Security Monitoring engine. Open source and owned by a community-run, non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by OISF, its supporting vendors, and the community.



I installed the version 7.0.0 on my rpi and I have an error :
undefined symbol: htp_config_set_request_decompression.

Do you know why ?


Hi there,

Could you give us a bit more info? How did you install, and when did you get that error?

Did you have any prior Suri installed?


I have these error at the end of the install when suricata try to run after:

. /configure --prefix= /usr/ --sysconfdir= /etc/ --localstatedir= /var/


sudo make install -full

sudo systemctl restart suricata

One possibility is that an older libhtp is installed in the system somewhere.

Which version is necessary ?

At least version 0.5.45 is necessary

Thanks. This library is not installed on my rpi with bullseye distribution. Do you know why ?

Is this library used with the 6.x.x suricata version ?

This library is used with the most recent 6.0.x release – 6.0.13

You’re building Suricata so suggest you get the libhtp repo (GitHub - OISF/libhtp: LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces.) and then use the ./configure --help to view the options for including the libhtp distribution into your build.

Personally, I put the libhtp repo inside my suricata src repo


Here’s an example of how i set things up

$ git clone
$ cd suricata
$ git clone

I see that the installation of the 0.5.45 version is already included into the suricata repository. In order to use it, I have to do something particular during the installation process of suricata ? My install script is : ./configure --prefix=/usr/ --sysconfir=/etc/ --localsatetdir=/var/

You can tell Suricata’s configure step where the libraries and include files for libhtp reside with the following options — add them to your configure command line:

--with-libhtp-includes=DIR     #libhtp include directory
--with-libhtp-libraries=DIR    #libhtp library directory

I did that and it does not work:
. /configure --prefix= /usr/ --sysconfdir= /etc/ --localstatedir= /var/ --with-libhtp-libraries=/usr/lib/ --with-libhtp-includes=/home/pi/suricata-7.0.0/libhtp
sudo make install-full
sudo systemctl restart suricata

The .so is /usr/lib and I always have the error:
/usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_request_decompression

The undefined symbol warning suggests an older libhtp in your system. find / -type f -name

So !!! It works now !

I removed :

  • any version of libhtp on my system ((sudo apt-get remove … and rm *.so) ==> I founded a libhtp2 version
  • any version of suricata (sudo apt-get remove … and rm old version (6.0.13))
  • I downloaded the last version (7.0.0)
  • make full

And the job is still runing.

Thank you for your help !!

1 Like